TLS Changes in Version 68

In order to further our general goal of making cPanel & WHM as secure as possible out of the box, beginning with version 68 new installs will default to TLS 1.2, with TLS 1.1 and TLS 1.0 being disabled. You will be able to manually enable them if you need to after the install, but we’re defaulting to a more secure environment. Servers that have upgraded to version 68 will retain the existing settings until …

In order to further our general goal of making cPanel & WHM as secure as possible out of the box, beginning with version 68 new installs will default to TLS 1.2, with TLS 1.1 and TLS 1.0 being disabled. You will be able to manually enable them if you need to after the install, but we’re defaulting to a more secure environment. Servers that have upgraded to version 68 will retain the existing settings until systems administrators change over to the new, more secure setting.

What is TLS?

The Transport Layer Security (TLS) protocol allows parties to communicate securely over a computer network. TLS ensures that the connection between a client and server remains private through encryption and, in some cases, public authentication. Over time, TLS (and its predecessor, SSL) has been updated to make sure your web browser is talking securely to the site you are browsing and making sure that website is who it says who it is.

Who will be impacted by updating to TLS 1.2?

A large majority of users will see no change; this transition should be seamless for them, as TLS 1.2 is supported by most modern browsers. There are, however, some stubborn old browsers that might run into issues, such as Internet Explorer 10 and below, as well as the Android Browser on KitKat (4.4.4) and below.More information on browser support for TLS 1.2 is available here: https://caniuse.com/#feat=tls1-2

What will happen if I try to access the server with these old browsers?

If someone tries to access a TLS 1.2 server with an outdated browser or has security settings that limit them to 1.0 or 1.1, they may receive a generic “unable to connect” error that varies by browser. Internet Explorer will state “Internet Explorer cannot display the webpage” without much information to help the user dig deeper.

How do I manually re-enable TLS 1.1 and 1.0?

We don’t recommend falling back to TLS 1.0 and 1.1. We understand some users may need to do so, so there are options available with some modifications required. From version 68, using TLS 1.1 and 1.0 will require additional cipher suite changes. Information on adjusting your cipher suites is available on our cPanel Knowledge Base: How to Adjust Cipher Protocols

How will this work in the future?

While we can’t predict the exact future of web security, we’re already seeing the adoption of TLS 1.3 support by some browsers. TLS 1.3 is in draft at the time of writing, and necessary changes to cPanel & WHM are yet to be determined. If we do see changes may be necessary to the default settings, we’ll let people know and ensure the transition is as painless as possible.

Have ideas for future security changes to cPanel & WHM? Submit a feature request and let us know!